Just so. What I was referring to were these reports: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=285276 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0957
As documented, this is clearly a feature, and not a bug. > -----Original Message----- > From: Michael Stassen [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 29, 2005 10:27 AM > To: John Trammell > Cc: mysql@lists.mysql.com > Subject: Re: Underscore functions as a wildcard ? > > This is not a bug. Mysql uses _ as the single-character > wildcard, and % as > the multi-character wildcard in pattern matches. This is > clearly explained in > the manual <http://dev.mysql.com/doc/mysql/en/grant.html>: > > Note: the '_' and '%' wildcards are allowed when > specifying database > names in GRANT statements that grant privileges at the > global or database > levels. This means, for example, that if you want to use a > '_' character > as part of a database name, you should specify it as '\_' > in the GRANT > statement, to prevent the user from being able to access additional > databases matching the wildcard pattern; for example, GRANT ... ON > `foo\_bar`.* TO .... > > Michael > > John Trammell wrote: > > > I recall seeing this "feature" discussed on Bugtraq a few weeks ago. > > IIRC there are updated MySQL versions that fix this bug. > What version > > of MySQL are you running? > > > > > >>-----Original Message----- > >>From: Jeroen Bosch [mailto:[EMAIL PROTECTED] > >>Sent: Wednesday, June 29, 2005 6:59 AM > >>To: mysql@lists.mysql.com > >>Subject: Underscore functions as a wildcard ? > >> > >>We stumbled upon the following 'feature' of MySQL: > >> > >> > >> > >>If, for example user 'x' has a database called 'user_data' he > >>is able to > >>create a table called user2data and so on without create privileges. > >> > >>It looks like the underscore is used as some kind of > >>wildcard, now is the > >>question: is this correct or is this something that should not be? > >> > >> > >> > >>Kind regards, > >> > >> > >> > >>Jeroen Bosch > > -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
